About cyber-fragility and the "pre-9/11" moment

In my "Cyber Warriors" article in the current issue, I mention that a variety of internet-security experts contend that we are living in a "pre-9/11 era" on this subject. But this they mean not that thousands of people will be killed and everything about U.S. politics and policy will be thrown up for grabs. Rather, the image is meant to suggest that policy and public awareness will be divided into "before" and "after" phases. And "after" this happens -- whatever "this" turns out to be in the cyber-destruction field -- people will ask why we weren't more vigilant ahead of time. A story just now in the Washington Post uses just the same imagery, talking about an exercise yesterday that was "staged... to demonstrate to a complacent public the
plausibility of an attack that could in many ways be as crippling as the
Sept. 11, 2001, terrorist strikes."*

From Gary Chapman, of the LBJ School at UT Austin, who has been writing about the internet aspects of national security since the 1990s, an objection to mis- and over-use of the "pre-9/11" imagery. Later on, I'll post a contrary view, from another tech veteran who thinks that the warnings are perfectly appropriate. Chapman writes:

"Concerns about cybersecurity and the potential for a national
"catastrophe" initiated by hackers -- whatever their motivations or
backing -- are reasonable; until people start using analogies to 9/11 or
begin talking about a looming "digital Pearl Harbor." Admiral Mike
McConnell [former NSA director, whom I quote several times in my article] has been raising such alarms, but count me as a skeptic. It is
difficult to imagine the loss of any computer-dependent system
comparing to the spectacle of 9/11, its implications for security for
ordinary Americans, or the emotional impact of that event, particularly
over the horrifying deaths that millions of people watched on
television. Likewise, the significance of Pearl Harbor, which launched
the country into the biggest war of all time, is not likely to be
matched by a computer-related failure, even one that dramatically
damages the global financial system. We should use the analogies to 9/11
and Pearl Harbor sparingly, if at all, and not for a possible failure
of computer networks or digital transactions. Terrorists using weapons
of mass destruction might qualify, but not computer hackers.

"Admiral
McConnell believes that nothing will motivate Americans to take
cybersecurity seriously until a disaster happens, which is probably
true. But unlike 9/11 or Pearl Harbor, Americans are likely to blame the
managers of institutions that are the targets of hackers, not the
hackers or their sponsors, who will in any case be obscure or difficult
to identify. McConnell apparently believes that the cybersecurity of big
banks is a matter of national security, but it would be hard to imagine
an industry with lower esteem in the eyes of the public these days, and
therefore one that is highly unlikely to "come clean" about their
vulnerabilities to hackers. The public, in its current sour mood about
large institutions in the U.S., would probably support the *dismantling*
of a system that makes the U.S. vulnerable to computer threats rather
than more government spending to secure the Wall Street firms that
precipitated the financial crisis and the recession."

In similar vein, a tech-policy veteran who asks not to be named writes:

"The loose talk about "digital Pearl Harbor" and "equivalent to 9/11" is
regrettable, in my opinion. We should learn how to calibrate
cyberthreats, which are serious but not in the same league. Something
bad happening to PayPal or even CitiBank is not the same as planes
bombing Hawaii or crashing into the World Trade Center, I'm sorry. We
should resist these kinds of analogies."

By instinct and experience I am skeptical of "threat-inflation" sloganeering, whether about the cyber or the "real" world. (No doubt this point is at top-of-mind right now because I am sitting in an airport lobby where every five minutes the PA system delivers the news that "the current threat advisory as established by the Department of Homeland Security is 'Orange'." Tell me, please oh Lord, who on Earth is made safer or more secure, or which evil-doer anywhere is more hindered, by repetitive broadcast of this moronic boilerplate? What does the "current" level mean, if it never changes?** Why is it the same in Washington DC, which someone might want to blow up, and rural Mississippi, which is probably under less imminent threat? What am I supposed to do or think because it's "orange"? Is there any conceivable reason this system is still in place -- other than the fact that no political official dares take the risk of recommending that it be lowered? But I digress.)

Back to cyber-security: I think the 9/11 comparison is useful strictly in the terms mentioned above: That if there is some large disruption, the whole issue will be discussed in an entirely different way, and policies will change, in both positive and panicky overkill directions. Acting calmly right now would be preferable ... but so would a lot of other things that we not going to do.

Next up: a reader's argument that 9/11 allusions are indeed realistic when it comes to the potential damage done by cyber-threats.____* Update: I see that the Atlantic Wire is on
this theme too. Escher-drawing style, it includes a reference to my own Atlantic article on the topic.

** To be fair, it has only been at its steady "Orange" level for the past four and a half years, since the summer of 2005. So it's not that it "never" changes; it just hardly ever changes -- as wars begin and end, regimes rise and fall, world politics changes, terrorists are arrested or set free, etc.

James Fallows is a national correspondent for The Atlantic and has written for the magazine since the late 1970s. He has reported extensively from outside the United States and once worked as President Carter's chief speechwriter. His latest book is China Airborne.
More

James Fallows is based in Washington as a national correspondent for The Atlantic. He has worked for the magazine for nearly 30 years and in that time has also lived in Seattle, Berkeley, Austin, Tokyo, Kuala Lumpur, Shanghai, and Beijing. He was raised in Redlands, California, received his undergraduate degree in American history and literature from Harvard, and received a graduate degree in economics from Oxford as a Rhodes scholar. In addition to working for The Atlantic, he has spent two years as chief White House speechwriter for Jimmy Carter, two years as the editor of US News & World Report, and six months as a program designer at Microsoft. He is an instrument-rated private pilot. He is also now the chair in U.S. media at the U.S. Studies Centre at the University of Sydney, in Australia.

Fallows has been a finalist for the National Magazine Award five times and has won once; he has also won the American Book Award for nonfiction and a N.Y. Emmy award for the documentary series Doing Business in China. He was the founding chairman of the New America Foundation. His recent books Blind Into Baghdad (2006) and Postcards From Tomorrow Square (2009) are based on his writings for The Atlantic. His latest book is China Airborne. He is married to Deborah Fallows, author of the recent book Dreaming in Chinese. They have two married sons.

Fallows welcomes and frequently quotes from reader mail sent via the "Email" button below. Unless you specify otherwise, we consider any incoming mail available for possible quotation -- but not with the sender's real name unless you explicitly state that it may be used. If you are wondering why Fallows does not use a "Comments" field below his posts, please see previous explanations here and here.